Extortionists make over $100,000 from threatening DDoS emails without ever launching an attack

Companies will go to extreme lengths to prevent themselves from becoming the victims of distributed denial-of-service (DDoS) attacks, even if it means handing over cash to the cybercriminals who threaten to disrupt the firms. It turns out that one group of extortionists realized this, and have made over $100,000 by blackmailing organizations without ever having carried out an attack.

According to a post by DDoS protection provider CloudFlare, over 100 businesses worldwide have received emails from the “Armada Collective,” which demand payment of between 10 and 50 Bitcoins (approximately $4,600 – $23,000) or a DDoS attack will be launched.

The Armada Collective is the gang that extorted $6000 from ProtonMail last November to stop a sustained DDoS attack that had taken the email service offline.

“Our attacks are extremely powerful – sometimes over 1Tbps per second. And we pass CloudFlare and others’ remote protections! So, no cheap protection will help,” the email says. The criminals also warned that the longer the companies went without paying, the more the price would rise.

However, CloudFlare became suspicious after noticing that all the emails were asking for payment to be sent to the same Bitcoin address. “Because the extortion emails reuse Bitcoin addresses, there’s no way the Armada Collective can tell who has paid and who has not. In spite of that, the cybercrooks have collected hundreds of thousands of dollars in extortion payments,” said CloudFlare CEO Matthew Prince.

After investigating, CloudFlare discovered no evidence that any DDoS attacks had ever taken place. It also found that many of the Armada Collective’s original members are currently incarcerated in a European prison.

It seems the individuals sending these emails were just using the Armada Collective name as a way of cashing in on the original group’s infamy, and in all likelihood weren’t even capable of launching an attack.

CloudFlare warned that not all DDoS threats are empty, but if any company receives one from the “Armada Collective” it’s safe to ignore it.